Edit tour

Windows Analysis Report
BjLxqVU7m4.dll

Overview

General Information

Sample name:	BjLxqVU7m4.dll renamed because original name is a hash value
Original sample name:	4b7a85411716775d966284e879a6bda87feade4c9f40cb94ade6e217793e8a84.exe
Analysis ID:	1563002
MD5:	bd804dfa6fafa1917f83060a30f7f1d0
SHA1:	68cc23c6877806705588ceb6fec57d913a543c1d
SHA256:	4b7a85411716775d966284e879a6bda87feade4c9f40cb94ade6e217793e8a84
Tags:	148-135-121-165exeuser-JAMESWT_MHT
Infos:

Detection

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Allocates memory in foreign processes

Creates a thread in another existing process (thread injection)

Writes to foreign memory regions

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Sample execution stops while process was sleeping (likely an evasion)

Yara signature match

Classification

Process Tree

System is w10x64

loaddll64.exe (PID: 7348 cmdline: loaddll64.exe "C:\Users\user\Desktop\BjLxqVU7m4.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52)

conhost.exe (PID: 7356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7400 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\BjLxqVU7m4.dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

rundll32.exe (PID: 7432 cmdline: rundll32.exe "C:\Users\user\Desktop\BjLxqVU7m4.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633)

sdiagnhost.exe (PID: 7460 cmdline: c:\windows\System32\sdiagnhost.exe MD5: 3A161A0124CE64840140D6A9943A5DD3)

conhost.exe (PID: 7532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sdiagnhost.exe (PID: 7408 cmdline: c:\windows\System32\sdiagnhost.exe MD5: 3A161A0124CE64840140D6A9943A5DD3)

conhost.exe (PID: 7472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.3100684042.000001DFF8EE0000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x5b19:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x90af:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000005.00000002.3100687201.00000264CA0E0000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x5b19:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x90af:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000004.00000003.1292237579.000001E618988000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x5099:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x862f:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000004.00000002.1292570457.0000005A5A9E2000.00000004.00000010.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x6899:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
00000000.00000002.2450460206.000000EE24142000.00000004.00000010.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x6e69:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0xa3ff:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000000.00000003.2450321100.0000020E89DFC000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x59d9:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x8f6f:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
Click to see the 1 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: BjLxqVU7m4.dll

ReversingLabs: Detection: 50%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 97.6% probability

Source: unknown	HTTPS traffic detected: 148.135.121.165:443 -> 192.168.2.7:49699 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 148.135.121.165:443 -> 192.168.2.7:49700 version: TLS 1.2

Source: BjLxqVU7m4.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: F:\Code\ctf\catchme\source\httpshellcode\x64\Release\httpshellcode.pdb&& source: sdiagnhost.exe, 00000003.00000002.3101557902.000001DFF9150000.00000004.00001000.00020000.00000000.sdmp, sdiagnhost.exe, 00000003.00000002.3101796777.000001DFFA933000.00000002.10000000.00040000.00000000.sdmp, sdiagnhost.exe, 00000005.00000002.3101107214.00000264CA283000.00000002.10000000.00040000.00000000.sdmp, sdiagnhost.exe, 00000005.00000002.3100928223.00000264CA250000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: F:\Code\ctf\catchme\source\httpshellcode\x64\Release\httpshellcode.pdb source: sdiagnhost.exe, 00000003.00000002.3101557902.000001DFF9150000.00000004.00001000.00020000.00000000.sdmp, sdiagnhost.exe, 00000003.00000002.3101796777.000001DFFA933000.00000002.10000000.00040000.00000000.sdmp, sdiagnhost.exe, 00000005.00000002.3101107214.00000264CA283000.00000002.10000000.00040000.00000000.sdmp, sdiagnhost.exe, 00000005.00000002.3100928223.00000264CA250000.00000004.00001000.00020000.00000000.sdmp

Source: Joe Sandbox View

JA3 fingerprint: 72a589da586844d7f0818ce684948eea

Source: unknown	TCP traffic detected without corresponding DNS query: 148.135.121.165
Source: unknown	TCP traffic detected without corresponding DNS query: 148.135.121.165
Source: unknown	TCP traffic detected without corresponding DNS query: 148.135.121.165
Source: unknown	TCP traffic detected without corresponding DNS query: 148.135.121.165
Source: unknown	TCP traffic detected without corresponding DNS query: 148.135.121.165
Source: unknown	TCP traffic detected without corresponding DNS query: 148.135.121.165
Source: unknown	TCP traffic detected without corresponding DNS query: 148.135.121.165
Source: unknown	TCP traffic detected without corresponding DNS query: 148.135.121.165
Source: unknown	TCP traffic detected without corresponding DNS query: 148.135.121.165
Source: unknown	TCP traffic detected without corresponding DNS query: 148.135.121.165
Source: unknown	TCP traffic detected without corresponding DNS query: 148.135.121.165
Source: unknown	TCP traffic detected without corresponding DNS query: 148.135.121.165
Source: unknown	TCP traffic detected without corresponding DNS query: 148.135.121.165
Source: unknown	TCP traffic detected without corresponding DNS query: 148.135.121.165
Source: unknown	TCP traffic detected without corresponding DNS query: 148.135.121.165
Source: unknown	TCP traffic detected without corresponding DNS query: 148.135.121.165
Source: unknown	TCP traffic detected without corresponding DNS query: 148.135.121.165
Source: unknown	TCP traffic detected without corresponding DNS query: 148.135.121.165
Source: unknown	TCP traffic detected without corresponding DNS query: 148.135.121.165
Source: unknown	TCP traffic detected without corresponding DNS query: 148.135.121.165

Source: global traffic	HTTP traffic detected: GET /39ffc7e3-0abd-4695-9967-553cce533999/5b790c2e-bfea-406c-af40-edc931ddeac3 HTTP/1.1Connection: Keep-AliveContent-Type: text/plainUser-Agent: HCMUS-CTF BotnetHost: 148.135.121.165
Source: global traffic	HTTP traffic detected: GET /39ffc7e3-0abd-4695-9967-553cce533999/5b790c2e-bfea-406c-af40-edc931ddeac3 HTTP/1.1Connection: Keep-AliveContent-Type: text/plainUser-Agent: HCMUS-CTF BotnetHost: 148.135.121.165

Source: sdiagnhost.exe, 00000003.00000003.1878124649.000001DFF903F000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000003.00000002.3100846109.000001DFF903F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://148.135.121.165/
Source: sdiagnhost.exe, 00000003.00000003.1878124649.000001DFF903F000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000003.00000002.3100846109.000001DFF903F000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000005.00000003.1876714389.00000264CA2FD000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000005.00000002.3101489905.00000264CA2FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://148.135.121.165/39ffc7e3-0abd-4695-9967-553cce533999/5b790c2e-bfea-406c-af40-edc931ddeac3
Source: sdiagnhost.exe, 00000003.00000003.1878209479.000001DFF9081000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000003.00000003.1877665240.000001DFF907F000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000005.00000003.1876779159.00000264CA341000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000005.00000003.1276315126.00000264CA33F000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000005.00000002.3101780226.00000264CA342000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://148.135.121.165/39ffc7e3-0abd-4695-9967-553cce533999/5b790c2e-bfea-406c-af40-edc931ddeac30u0
Source: sdiagnhost.exe, 00000005.00000003.1876714389.00000264CA2FD000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000005.00000002.3101489905.00000264CA2FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://148.135.121.165/39ffc7e3-0abd-4695-9967-553cce533999/5b790c2e-bfea-406c-af40-edc931ddeac3e6p
Source: sdiagnhost.exe, 00000005.00000003.1876714389.00000264CA2FD000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000005.00000002.3101489905.00000264CA2FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://148.135.121.165/r5J
Source: sdiagnhost.exe, 00000003.00000003.1878124649.000001DFF903F000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000003.00000002.3100846109.000001DFF903F000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000005.00000003.1876714389.00000264CA2FD000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000005.00000002.3101489905.00000264CA2FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://148.135.121.165:443/39ffc7e3-0abd-4695-9967-553cce533999/5b790c2e-bfea-406c-af40-edc931ddeac

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443

Source: unknown	HTTPS traffic detected: 148.135.121.165:443 -> 192.168.2.7:49699 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 148.135.121.165:443 -> 192.168.2.7:49700 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000003.00000002.3100684042.000001DFF8EE0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000005.00000002.3100687201.00000264CA0E0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000004.00000003.1292237579.000001E618988000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000004.00000002.1292570457.0000005A5A9E2000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000000.00000002.2450460206.000000EE24142000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000000.00000003.2450321100.0000020E89DFC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown

Source: C:\Windows\System32\sdiagnhost.exe	Code function: 3_2_000001DFF8EE75CD NtCreateSection,NtMapViewOfSection,VirtualAlloc,NtUnmapViewOfSection,NtMapViewOfSection,VirtualProtect,VirtualProtect,VirtualProtect,		3_2_000001DFF8EE75CD
Source: C:\Windows\System32\sdiagnhost.exe	Code function: 5_2_00000264CA0E75CD NtCreateSection,NtMapViewOfSection,VirtualAlloc,NtUnmapViewOfSection,NtMapViewOfSection,VirtualProtect,VirtualProtect,VirtualProtect,		5_2_00000264CA0E75CD

Source: C:\Windows\System32\sdiagnhost.exe	Code function: 3_2_000001DFF8EE75CD	3_2_000001DFF8EE75CD
Source: C:\Windows\System32\sdiagnhost.exe	Code function: 3_2_000001DFF8EE6DC5	3_2_000001DFF8EE6DC5
Source: C:\Windows\System32\sdiagnhost.exe	Code function: 3_2_000001DFF8EEA8C5	3_2_000001DFF8EEA8C5
Source: C:\Windows\System32\sdiagnhost.exe	Code function: 3_2_000001DFF8EE5ED1	3_2_000001DFF8EE5ED1
Source: C:\Windows\System32\sdiagnhost.exe	Code function: 3_2_000001DFF8EE7195	3_2_000001DFF8EE7195
Source: C:\Windows\System32\sdiagnhost.exe	Code function: 3_2_000001DFF8EE806D	3_2_000001DFF8EE806D
Source: C:\Windows\System32\sdiagnhost.exe	Code function: 3_2_000001DFFA9311C0	3_2_000001DFFA9311C0
Source: C:\Windows\System32\sdiagnhost.exe	Code function: 5_2_00000264CA0E75CD	5_2_00000264CA0E75CD
Source: C:\Windows\System32\sdiagnhost.exe	Code function: 5_2_00000264CA0E6DC5	5_2_00000264CA0E6DC5
Source: C:\Windows\System32\sdiagnhost.exe	Code function: 5_2_00000264CA0E806D	5_2_00000264CA0E806D
Source: C:\Windows\System32\sdiagnhost.exe	Code function: 5_2_00000264CA0E7195	5_2_00000264CA0E7195
Source: C:\Windows\System32\sdiagnhost.exe	Code function: 5_2_00000264CA0E5ED1	5_2_00000264CA0E5ED1
Source: C:\Windows\System32\sdiagnhost.exe	Code function: 5_2_00000264CA0EA8C5	5_2_00000264CA0EA8C5
Source: C:\Windows\System32\sdiagnhost.exe	Code function: 5_2_00000264CA2811C0	5_2_00000264CA2811C0

Source: 00000003.00000002.3100684042.000001DFF8EE0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000005.00000002.3100687201.00000264CA0E0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000004.00000003.1292237579.000001E618988000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000004.00000002.1292570457.0000005A5A9E2000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000000.00000002.2450460206.000000EE24142000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000000.00000003.2450321100.0000020E89DFC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13

Source: classification engine

Classification label: mal72.evad.winDLL@12/0@0/1

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7356:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7472:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7532:120:WilError_03

Source: BjLxqVU7m4.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\BjLxqVU7m4.dll",#1

Source: BjLxqVU7m4.dll

ReversingLabs: Detection: 50%

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\BjLxqVU7m4.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\BjLxqVU7m4.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\sdiagnhost.exe c:\windows\System32\sdiagnhost.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\BjLxqVU7m4.dll",#1
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\sdiagnhost.exe c:\windows\System32\sdiagnhost.exe
Source: C:\Windows\System32\sdiagnhost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sdiagnhost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\BjLxqVU7m4.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\sdiagnhost.exe c:\windows\System32\sdiagnhost.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\BjLxqVU7m4.dll",#1	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\sdiagnhost.exe c:\windows\System32\sdiagnhost.exe	Jump to behavior

Source: C:\Windows\System32\loaddll64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Section loaded: dpapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: BjLxqVU7m4.dll

Static PE information: Image base 0x180000000 > 0x60000000

Source: BjLxqVU7m4.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: BjLxqVU7m4.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: BjLxqVU7m4.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: BjLxqVU7m4.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: BjLxqVU7m4.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: BjLxqVU7m4.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: BjLxqVU7m4.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: BjLxqVU7m4.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: F:\Code\ctf\catchme\source\httpshellcode\x64\Release\httpshellcode.pdb&& source: sdiagnhost.exe, 00000003.00000002.3101557902.000001DFF9150000.00000004.00001000.00020000.00000000.sdmp, sdiagnhost.exe, 00000003.00000002.3101796777.000001DFFA933000.00000002.10000000.00040000.00000000.sdmp, sdiagnhost.exe, 00000005.00000002.3101107214.00000264CA283000.00000002.10000000.00040000.00000000.sdmp, sdiagnhost.exe, 00000005.00000002.3100928223.00000264CA250000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: F:\Code\ctf\catchme\source\httpshellcode\x64\Release\httpshellcode.pdb source: sdiagnhost.exe, 00000003.00000002.3101557902.000001DFF9150000.00000004.00001000.00020000.00000000.sdmp, sdiagnhost.exe, 00000003.00000002.3101796777.000001DFFA933000.00000002.10000000.00040000.00000000.sdmp, sdiagnhost.exe, 00000005.00000002.3101107214.00000264CA283000.00000002.10000000.00040000.00000000.sdmp, sdiagnhost.exe, 00000005.00000002.3100928223.00000264CA250000.00000004.00001000.00020000.00000000.sdmp

Source: BjLxqVU7m4.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: BjLxqVU7m4.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: BjLxqVU7m4.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: BjLxqVU7m4.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: BjLxqVU7m4.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Source: C:\Windows\System32\sdiagnhost.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\loaddll64.exe TID: 7352	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe TID: 7456	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe TID: 7424	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe TID: 7516	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe TID: 7480	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\sdiagnhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\loaddll64.exe	Thread delayed: delay time: 120000	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\sdiagnhost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: sdiagnhost.exe, 00000003.00000003.1877851785.000001DFF9090000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000003.00000003.1878377128.000001DFF9090000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000003.00000002.3101155052.000001DFF9092000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW5OKT
Source: sdiagnhost.exe, 00000005.00000003.1876714389.00000264CA2FD000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000005.00000003.1876957819.00000264CA310000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW ;4
Source: sdiagnhost.exe, 00000003.00000003.1877851785.000001DFF9090000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000003.00000003.1878124649.000001DFF903F000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000003.00000003.1878377128.000001DFF9090000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000003.00000002.3101155052.000001DFF9092000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000003.00000002.3100846109.000001DFF903F000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000005.00000003.1876571755.00000264CA34C000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000005.00000003.1876779159.00000264CA341000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000005.00000003.1276315126.00000264CA34C000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000005.00000003.1276315126.00000264CA33F000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000005.00000002.3101780226.00000264CA342000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Windows\System32\loaddll64.exe	Memory allocated: C:\Windows\System32\sdiagnhost.exe base: 1DFF8EE0000 protect: page execute and read and write			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory allocated: C:\Windows\System32\sdiagnhost.exe base: 264CA0E0000 protect: page execute and read and write			Jump to behavior

Creates a thread in another existing process (thread injection)

Source: C:\Windows\System32\loaddll64.exe	Thread created: C:\Windows\System32\sdiagnhost.exe EIP: F8EE0000			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread created: C:\Windows\System32\sdiagnhost.exe EIP: CA0E0000			Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\System32\loaddll64.exe	Memory written: C:\Windows\System32\sdiagnhost.exe base: 1DFF8EE0000			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\System32\sdiagnhost.exe base: 264CA0E0000			Jump to behavior

Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\sdiagnhost.exe c:\windows\System32\sdiagnhost.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\BjLxqVU7m4.dll",#1	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\sdiagnhost.exe c:\windows\System32\sdiagnhost.exe	Jump to behavior

Source: C:\Windows\System32\sdiagnhost.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	311 Process Injection	1 Rundll32	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	21 Virtualization/Sandbox Evasion	LSASS Memory	21 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	311 Process Injection	Security Account Manager	2 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
BjLxqVU7m4.dll	50%	ReversingLabs	Win64.Exploit.DonutMarte

URLs

Source	Detection	Scanner	Label
https://148.135.121.165/r5J	0%	Avira URL Cloud	safe
https://148.135.121.165:443/39ffc7e3-0abd-4695-9967-553cce533999/5b790c2e-bfea-406c-af40-edc931ddeac	0%	Avira URL Cloud	safe
https://148.135.121.165/	0%	Avira URL Cloud	safe
https://148.135.121.165/39ffc7e3-0abd-4695-9967-553cce533999/5b790c2e-bfea-406c-af40-edc931ddeac30u0	0%	Avira URL Cloud	safe
https://148.135.121.165/39ffc7e3-0abd-4695-9967-553cce533999/5b790c2e-bfea-406c-af40-edc931ddeac3	0%	Avira URL Cloud	safe
https://148.135.121.165/39ffc7e3-0abd-4695-9967-553cce533999/5b790c2e-bfea-406c-af40-edc931ddeac3e6p	0%	Avira URL Cloud	safe

Domains and IPs

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://148.135.121.165/39ffc7e3-0abd-4695-9967-553cce533999/5b790c2e-bfea-406c-af40-edc931ddeac3	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://148.135.121.165/	sdiagnhost.exe, 00000003.00000003.1878124649.000001DFF903F000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000003.00000002.3100846109.000001DFF903F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://148.135.121.165/r5J	sdiagnhost.exe, 00000005.00000003.1876714389.00000264CA2FD000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000005.00000002.3101489905.00000264CA2FE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://148.135.121.165:443/39ffc7e3-0abd-4695-9967-553cce533999/5b790c2e-bfea-406c-af40-edc931ddeac	sdiagnhost.exe, 00000003.00000003.1878124649.000001DFF903F000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000003.00000002.3100846109.000001DFF903F000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000005.00000003.1876714389.00000264CA2FD000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000005.00000002.3101489905.00000264CA2FE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://148.135.121.165/39ffc7e3-0abd-4695-9967-553cce533999/5b790c2e-bfea-406c-af40-edc931ddeac3e6p	sdiagnhost.exe, 00000005.00000003.1876714389.00000264CA2FD000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000005.00000002.3101489905.00000264CA2FE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://148.135.121.165/39ffc7e3-0abd-4695-9967-553cce533999/5b790c2e-bfea-406c-af40-edc931ddeac30u0	sdiagnhost.exe, 00000003.00000003.1878209479.000001DFF9081000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000003.00000003.1877665240.000001DFF907F000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000005.00000003.1876779159.00000264CA341000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000005.00000003.1276315126.00000264CA33F000.00000004.00000020.00020000.00000000.sdmp, sdiagnhost.exe, 00000005.00000002.3101780226.00000264CA342000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
148.135.121.165	unknown	Sweden		158	ERI-ASUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1563002
Start date and time:	2024-11-26 11:42:00 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	BjLxqVU7m4.dll renamed because original name is a hash value
Original Sample Name:	4b7a85411716775d966284e879a6bda87feade4c9f40cb94ade6e217793e8a84.exe
Detection:	MAL
Classification:	mal72.evad.winDLL@12/0@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 15 Number of non-executed functions: 4
Cookbook Comments:	Found application associated with file extension: .dll Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: BjLxqVU7m4.dll

WriteProcessMemory, CloseHandle, VirtualAllocEx, CreateRemoteThread, CreateProcessA, WriteConsoleW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwindEx, RtlPcToFileHeader, RaiseException, InterlockedFlushSList, GetLastError, SetLastError, EncodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, ExitProcess, GetModuleHandleExW, GetModuleFileNameW, HeapAlloc, HeapFree, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, LCMapStringW, GetProcessHeap, GetStdHandle, GetFileType, GetStringTypeW, HeapSize, HeapReAlloc, SetStdHandle, FlushFileBuffers, WriteFile, GetConsoleOutputCP, GetConsoleMode, SetFilePointerEx, CreateFileW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 26, 2024 11:42:55.744107962 CET	49699	443	192.168.2.7	148.135.121.165
Nov 26, 2024 11:42:55.744154930 CET	443	49699	148.135.121.165	192.168.2.7
Nov 26, 2024 11:42:55.744246960 CET	49699	443	192.168.2.7	148.135.121.165
Nov 26, 2024 11:42:55.745874882 CET	49699	443	192.168.2.7	148.135.121.165
Nov 26, 2024 11:42:55.745891094 CET	443	49699	148.135.121.165	192.168.2.7
Nov 26, 2024 11:42:55.748723030 CET	49700	443	192.168.2.7	148.135.121.165
Nov 26, 2024 11:42:55.748823881 CET	443	49700	148.135.121.165	192.168.2.7
Nov 26, 2024 11:42:55.748895884 CET	49700	443	192.168.2.7	148.135.121.165
Nov 26, 2024 11:42:55.749773979 CET	49700	443	192.168.2.7	148.135.121.165
Nov 26, 2024 11:42:55.749808073 CET	443	49700	148.135.121.165	192.168.2.7
Nov 26, 2024 11:42:57.099767923 CET	443	49699	148.135.121.165	192.168.2.7
Nov 26, 2024 11:42:57.099893093 CET	49699	443	192.168.2.7	148.135.121.165
Nov 26, 2024 11:42:57.138814926 CET	443	49700	148.135.121.165	192.168.2.7
Nov 26, 2024 11:42:57.138886929 CET	49700	443	192.168.2.7	148.135.121.165
Nov 26, 2024 11:42:57.145385027 CET	49699	443	192.168.2.7	148.135.121.165
Nov 26, 2024 11:42:57.145400047 CET	443	49699	148.135.121.165	192.168.2.7
Nov 26, 2024 11:42:57.145636082 CET	443	49699	148.135.121.165	192.168.2.7
Nov 26, 2024 11:42:57.148854017 CET	49700	443	192.168.2.7	148.135.121.165
Nov 26, 2024 11:42:57.148881912 CET	443	49700	148.135.121.165	192.168.2.7
Nov 26, 2024 11:42:57.149082899 CET	443	49700	148.135.121.165	192.168.2.7
Nov 26, 2024 11:42:57.194308996 CET	49699	443	192.168.2.7	148.135.121.165
Nov 26, 2024 11:42:57.194339991 CET	49700	443	192.168.2.7	148.135.121.165
Nov 26, 2024 11:42:57.553790092 CET	49700	443	192.168.2.7	148.135.121.165
Nov 26, 2024 11:42:57.595355988 CET	443	49700	148.135.121.165	192.168.2.7
Nov 26, 2024 11:42:57.622183084 CET	49699	443	192.168.2.7	148.135.121.165
Nov 26, 2024 11:42:57.663328886 CET	443	49699	148.135.121.165	192.168.2.7
Nov 26, 2024 11:42:57.947935104 CET	443	49700	148.135.121.165	192.168.2.7
Nov 26, 2024 11:42:57.948120117 CET	443	49700	148.135.121.165	192.168.2.7
Nov 26, 2024 11:42:57.948188066 CET	49700	443	192.168.2.7	148.135.121.165
Nov 26, 2024 11:42:57.949054956 CET	49700	443	192.168.2.7	148.135.121.165
Nov 26, 2024 11:42:57.949084044 CET	443	49700	148.135.121.165	192.168.2.7
Nov 26, 2024 11:42:57.949100018 CET	49700	443	192.168.2.7	148.135.121.165
Nov 26, 2024 11:42:57.949106932 CET	443	49700	148.135.121.165	192.168.2.7
Nov 26, 2024 11:42:58.074325085 CET	443	49699	148.135.121.165	192.168.2.7
Nov 26, 2024 11:42:58.074410915 CET	443	49699	148.135.121.165	192.168.2.7
Nov 26, 2024 11:42:58.074472904 CET	49699	443	192.168.2.7	148.135.121.165
Nov 26, 2024 11:42:58.074687958 CET	49699	443	192.168.2.7	148.135.121.165
Nov 26, 2024 11:42:58.074704885 CET	443	49699	148.135.121.165	192.168.2.7
Nov 26, 2024 11:42:58.074718952 CET	49699	443	192.168.2.7	148.135.121.165
Nov 26, 2024 11:42:58.074733019 CET	443	49699	148.135.121.165	192.168.2.7

HTTP Request Dependency Graph

148.135.121.165

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49700	148.135.121.165	443	7460	C:\Windows\System32\sdiagnhost.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-26 10:42:57 UTC	194	OUT	GET /39ffc7e3-0abd-4695-9967-553cce533999/5b790c2e-bfea-406c-af40-edc931ddeac3 HTTP/1.1 Connection: Keep-Alive Content-Type: text/plain User-Agent: HCMUS-CTF Botnet Host: 148.135.121.165
2024-11-26 10:42:57 UTC	192	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 26 Nov 2024 10:42:57 GMT Content-Type: application/octet-stream Content-Length: 93 Connection: close Content-Type: text/plain
2024-11-26 10:42:57 UTC	93	IN	Data Raw: 54 68 69 73 20 69 73 20 61 20 66 61 6b 65 20 43 32 20 73 65 72 76 65 72 20 74 68 61 74 20 67 69 76 65 73 20 79 6f 75 20 74 68 65 20 66 6c 61 67 2e 20 48 65 72 65 20 79 6f 75 20 67 6f 3a 20 48 43 4d 55 53 2d 43 54 46 7b 63 34 74 63 48 2d 6d 33 2d 31 66 2d 7c 5f 7c 2d 63 34 4e 7d Data Ascii: This is a fake C2 server that gives you the flag. Here you go: HCMUS-CTF{c4tcH-m3-1f-\|_\|-c4N}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49699	148.135.121.165	443	7408	C:\Windows\System32\sdiagnhost.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-26 10:42:57 UTC	194	OUT	GET /39ffc7e3-0abd-4695-9967-553cce533999/5b790c2e-bfea-406c-af40-edc931ddeac3 HTTP/1.1 Connection: Keep-Alive Content-Type: text/plain User-Agent: HCMUS-CTF Botnet Host: 148.135.121.165
2024-11-26 10:42:58 UTC	192	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 26 Nov 2024 10:42:57 GMT Content-Type: application/octet-stream Content-Length: 93 Connection: close Content-Type: text/plain
2024-11-26 10:42:58 UTC	93	IN	Data Raw: 54 68 69 73 20 69 73 20 61 20 66 61 6b 65 20 43 32 20 73 65 72 76 65 72 20 74 68 61 74 20 67 69 76 65 73 20 79 6f 75 20 74 68 65 20 66 6c 61 67 2e 20 48 65 72 65 20 79 6f 75 20 67 6f 3a 20 48 43 4d 55 53 2d 43 54 46 7b 63 34 74 63 48 2d 6d 33 2d 31 66 2d 7c 5f 7c 2d 63 34 4e 7d Data Ascii: This is a fake C2 server that gives you the flag. Here you go: HCMUS-CTF{c4tcH-m3-1f-\|_\|-c4N}

Target ID:	0
Start time:	05:42:53
Start date:	26/11/2024
Path:	C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):	false
Commandline:	loaddll64.exe "C:\Users\user\Desktop\BjLxqVU7m4.dll"
Imagebase:	0x7ff6ad360000
File size:	165'888 bytes
MD5 hash:	763455F9DCB24DFEECC2B9D9F8D46D52
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.2450460206.000000EE24142000.00000004.00000010.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000003.2450321100.0000020E89DFC000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	05:42:54
Start date:	26/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	05:42:54
Start date:	26/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\BjLxqVU7m4.dll",#1
Imagebase:	0x7ff78a900000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	05:42:54
Start date:	26/11/2024
Path:	C:\Windows\System32\sdiagnhost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\System32\sdiagnhost.exe
Imagebase:	0x7ff7d5040000
File size:	40'448 bytes
MD5 hash:	3A161A0124CE64840140D6A9943A5DD3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000003.00000002.3100684042.000001DFF8EE0000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	05:42:54
Start date:	26/11/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\BjLxqVU7m4.dll",#1
Imagebase:	0x7ff7b76c0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000004.00000003.1292237579.000001E618988000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000004.00000002.1292570457.0000005A5A9E2000.00000004.00000010.00020000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	05:42:54
Start date:	26/11/2024
Path:	C:\Windows\System32\sdiagnhost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\System32\sdiagnhost.exe
Imagebase:	0x7ff7d5040000
File size:	40'448 bytes
MD5 hash:	3A161A0124CE64840140D6A9943A5DD3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000005.00000002.3100687201.00000264CA0E0000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	05:42:54
Start date:	26/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	05:42:54
Start date:	26/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	11%
Dynamic/Decrypted Code Coverage:	7%
Signature Coverage:	40%
Total number of Nodes:	100
Total number of Limit Nodes:	5

Executed Functions

Function 000001DFF8EE75CD Relevance: 16.8, APIs: 8, Strings: 1, Instructions: 1066memorynativeCOMMON

Download Yara Rule

APIs

NtCreateSection.NTDLL ref: 000001DFF8EE76DE
NtMapViewOfSection.NTDLL ref: 000001DFF8EE77C9
VirtualAlloc.KERNELBASE ref: 000001DFF8EE7BCA
NtUnmapViewOfSection.NTDLL ref: 000001DFF8EE7C61
NtMapViewOfSection.NTDLL ref: 000001DFF8EE7CC3
VirtualProtect.KERNELBASE ref: 000001DFF8EE7CEA

Part of subcall function 000001DFF8EE85C5: LoadLibraryA.KERNELBASE ref: 000001DFF8EE8693

VirtualProtect.KERNELBASE ref: 000001DFF8EE7DC2
VirtualProtect.KERNELBASE ref: 000001DFF8EE7E02

Strings

@, xrefs: 000001DFF8EE76CC

Memory Dump Source

Source File: 00000003.00000002.3100684042.000001DFF8EE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001DFF8EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1dff8ee0000_sdiagnhost.jbxd

Yara matches

Similarity

API ID: SectionVirtual$ProtectView$AllocCreateLibraryLoadUnmap
String ID: @
API String ID: 491204081-2766056989
Opcode ID: c37129cb37b3c8bba6147fbaa10fd2a9893dc3c91af62d8663cd2f8e877685fb
Instruction ID: eece3efbb7162d3d8069d0163546368f598b1d0fa8c3eb0905b230e142753cb0
Opcode Fuzzy Hash: c37129cb37b3c8bba6147fbaa10fd2a9893dc3c91af62d8663cd2f8e877685fb
Instruction Fuzzy Hash: A072D471618B588BEB6DDF68C8857E973E1FB98300F15453ED88BC7281EB74EA428741

Function 000001DFF8EE6DC5 Relevance: 1.6, APIs: 1, Instructions: 380
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 000001DFF8EE6E38

Memory Dump Source

Source File: 00000003.00000002.3100684042.000001DFF8EE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001DFF8EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1dff8ee0000_sdiagnhost.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 4e8b8247e7cc9eb48ab3447efde51f251e79aa77b60fd31208de4e14b5e2697b
Instruction ID: 6c6f34d7f47a7b7a5912b96d7e7fe85d617f85174550bc2a556ce87361ac500f
Opcode Fuzzy Hash: 4e8b8247e7cc9eb48ab3447efde51f251e79aa77b60fd31208de4e14b5e2697b
Instruction Fuzzy Hash: 69C17372314A294BEB5CEBA8C8917E9B3D1FB94300F15413FD44BC3296DB68EA17C681

Function 000001DFFA9311C0 Relevance: .3, Instructions: 265
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.3101761958.000001DFFA931000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001DFFA931000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1dffa931000_sdiagnhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a94a9a69f4a1ab2ff4704a3eed6c67e80d4683e942e9756375f98649269b46e2
Instruction ID: bcc707f488b8f93e26f9e79ed50c3744bee31fa38339b8475c519ced170c94c4
Opcode Fuzzy Hash: a94a9a69f4a1ab2ff4704a3eed6c67e80d4683e942e9756375f98649269b46e2
Instruction Fuzzy Hash: 3F71C47161CF484FDB58EF2898493AA77E5FB99304F10026EE44BC32A2DF74D9068785

Function 000001DFF8EE5D15 Relevance: 6.1, APIs: 4, Instructions: 133
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000001DFF8EE85C5: LoadLibraryA.KERNELBASE ref: 000001DFF8EE8693

VirtualProtect.KERNELBASE ref: 000001DFF8EE5D91
VirtualProtect.KERNELBASE ref: 000001DFF8EE5DBA
VirtualProtect.KERNELBASE ref: 000001DFF8EE5DFF
VirtualProtect.KERNELBASE ref: 000001DFF8EE5E23

Memory Dump Source

Source File: 00000003.00000002.3100684042.000001DFF8EE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001DFF8EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1dff8ee0000_sdiagnhost.jbxd

Yara matches

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: 8400098549b82502c2f5a9c421df171acaf346d87819800aa738181b0ab5da70
Instruction ID: 68888bd3ad6ffe0e40c6052e23b3c3726cedb273c88e36a47904d64a93dd177d
Opcode Fuzzy Hash: 8400098549b82502c2f5a9c421df171acaf346d87819800aa738181b0ab5da70
Instruction Fuzzy Hash: 4F319872318A184BD75CAB989C567AA73D9E7C4310F01057EA84FC32D9DD64DE0746C1

Function 000001DFF8EE5D84 Relevance: 6.1, APIs: 4, Instructions: 89
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 000001DFF8EE5D91
VirtualProtect.KERNELBASE ref: 000001DFF8EE5DBA
VirtualProtect.KERNELBASE ref: 000001DFF8EE5DFF
VirtualProtect.KERNELBASE ref: 000001DFF8EE5E23

Memory Dump Source

Source File: 00000003.00000002.3100684042.000001DFF8EE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001DFF8EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1dff8ee0000_sdiagnhost.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 914d75a376068fc31bfbded977a9d44f63d4b8c845bdf52e5f4dfcb5cec16c11
Instruction ID: 8247b3fa3b9ae072068e4a67956dd4471d806368a20ff86f03427d9e57255684
Opcode Fuzzy Hash: 914d75a376068fc31bfbded977a9d44f63d4b8c845bdf52e5f4dfcb5cec16c11
Instruction Fuzzy Hash: 5E21817230CA284BDB68AB9CA8563A973D5E7C8710F11057EA84BC33DADD68DE034681

Function 000001DFFA931440 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 229
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNELBASE ref: 000001DFFA9315F1

Strings

HCMU, xrefs: 000001DFFA93148C

Memory Dump Source

Source File: 00000003.00000002.3101761958.000001DFFA931000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001DFFA931000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1dffa931000_sdiagnhost.jbxd

Similarity

API ID: Sleep
String ID: HCMU
API String ID: 3472027048-1408108644
Opcode ID: f4d16d696d8258c7e4b693e4f7ba327b9e3cf8e69538a5a4c7d8dbeb5bf79d3d
Instruction ID: 81fbed9521d2a56f515d7a926087a7afe9555f3034a8b320d186687a9023e9ed
Opcode Fuzzy Hash: f4d16d696d8258c7e4b693e4f7ba327b9e3cf8e69538a5a4c7d8dbeb5bf79d3d
Instruction Fuzzy Hash: 60613932928F084BDF24AF2C94893EA72E5FF58314F60463EE45BD31E6D634D9868681

Function 000001DFF8EE85C5 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 104
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 000001DFF8EE8693

Strings

l, xrefs: 000001DFF8EE862D

Memory Dump Source

Source File: 00000003.00000002.3100684042.000001DFF8EE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001DFF8EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1dff8ee0000_sdiagnhost.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: l
API String ID: 1029625771-2517025534
Opcode ID: 17942f13ed0cde813e798f87a7dfef04ab11e23e44ed8671c4d85ae2c9c13351
Instruction ID: 94a5c5ac4d4be9267b6d6d01345fdc60997094002f9998cddb59453680e504eb
Opcode Fuzzy Hash: 17942f13ed0cde813e798f87a7dfef04ab11e23e44ed8671c4d85ae2c9c13351
Instruction Fuzzy Hash: 9B31D471618AAA4FE759DF2CC044B61BBD5FBA9308F2556BDC0EBC7192DB64C8078701

Function 000001DFF8EE5E41 Relevance: 3.1, APIs: 2, Instructions: 63
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000001DFF8EE85C5: LoadLibraryA.KERNELBASE ref: 000001DFF8EE8693

VirtualProtect.KERNELBASE ref: 000001DFF8EE5E8F
VirtualProtect.KERNELBASE ref: 000001DFF8EE5EB7

Memory Dump Source

Source File: 00000003.00000002.3100684042.000001DFF8EE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001DFF8EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1dff8ee0000_sdiagnhost.jbxd

Yara matches

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: 2a6024b9db74f160a7b58b3b0515e351414b1f3c9a0cbad83c4302ef420070c7
Instruction ID: de3791c5968871356e945c92f8b5451f2e49e3b9397b4ddfe57ce8ef3a5b6243
Opcode Fuzzy Hash: 2a6024b9db74f160a7b58b3b0515e351414b1f3c9a0cbad83c4302ef420070c7
Instruction Fuzzy Hash: CC11A531318A184BDB98EB5898956AA73D5FBD8300F00057EAC4BC7299DE64DE428781

Non-executed Functions

Function 000001DFF8EEA8C5 Relevance: .7, Instructions: 730COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3100684042.000001DFF8EE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001DFF8EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1dff8ee0000_sdiagnhost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f830e609fe5cee47e6c16999e452ce305c1c12be961c10b305ce6362bf0b176d
Instruction ID: 91fdb5310af2459ff0c67c9b3e60d4a30be86a55eac14b473018b4257d2db374
Opcode Fuzzy Hash: f830e609fe5cee47e6c16999e452ce305c1c12be961c10b305ce6362bf0b176d
Instruction Fuzzy Hash: 6F52D1B26043119FE768CF94C845BABB7E5EF84710F05483EF98697281D7B8EA42CB51

Function 000001DFF8EE5ED1 Relevance: .4, Instructions: 429COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3100684042.000001DFF8EE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001DFF8EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1dff8ee0000_sdiagnhost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d4d866763d3bed20dc280203f6102a30c73feaa7c60b621d7a564ee5d7695d8
Instruction ID: cf763b7b23f9092cfae65e31dc105798bb75cc8dd05d4fb9cd3049dd16f86b29
Opcode Fuzzy Hash: 1d4d866763d3bed20dc280203f6102a30c73feaa7c60b621d7a564ee5d7695d8
Instruction Fuzzy Hash: 6DE18471718A598BEB6C9F6898497EEB7E5FB58301F01422ED84BC3250DF74EA02C781

Function 000001DFF8EE7195 Relevance: .4, Instructions: 409COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3100684042.000001DFF8EE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001DFF8EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1dff8ee0000_sdiagnhost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e74d2aa687a79bc353c1e30e2761018af6d861ea5a8c8f1c92844b65f1d9ba9
Instruction ID: 63430b8b1b8048352d8803dd6ee04ff18d5ff899166b6075a1ea165f60d5ad7a
Opcode Fuzzy Hash: 3e74d2aa687a79bc353c1e30e2761018af6d861ea5a8c8f1c92844b65f1d9ba9
Instruction Fuzzy Hash: A0E15F71518A0C8FDB59EF28D8896EA77E1FF98300F04466EE84BC7155DF30E9568B81

Function 000001DFF8EE806D Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3100684042.000001DFF8EE0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001DFF8EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1dff8ee0000_sdiagnhost.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55def3579c95d66bb74bd3e75744c244041454eda364e5e205e1004b0ebe1f4c
Instruction ID: b2f3ada05e4a45f7fbb8e7c6ee8fbcd4d36900374bb730b19aa802223ef6164b
Opcode Fuzzy Hash: 55def3579c95d66bb74bd3e75744c244041454eda364e5e205e1004b0ebe1f4c
Instruction Fuzzy Hash: 6CA13F71608A1C8FDB59EF68C889BDA77E5FB68315F10466FE44AC7160EB30D645CB80

Analysis Process: sdiagnhost.exePID: 7460, Parent PID: 7432COMMON

Execution Graph

Execution Coverage:	11%
Dynamic/Decrypted Code Coverage:	7.1%
Signature Coverage:	0%
Total number of Nodes:	99
Total number of Limit Nodes:	6

Executed Functions

Function 00000264CA0E75CD Relevance: 16.8, APIs: 8, Strings: 1, Instructions: 1066memorynativeCOMMON

Download Yara Rule

APIs

NtCreateSection.NTDLL ref: 00000264CA0E76DE
NtMapViewOfSection.NTDLL ref: 00000264CA0E77C9
VirtualAlloc.KERNELBASE ref: 00000264CA0E7BCA
NtUnmapViewOfSection.NTDLL ref: 00000264CA0E7C61
NtMapViewOfSection.NTDLL ref: 00000264CA0E7CC3
VirtualProtect.KERNELBASE ref: 00000264CA0E7CEA

Part of subcall function 00000264CA0E85C5: LoadLibraryA.KERNELBASE ref: 00000264CA0E8693

VirtualProtect.KERNELBASE ref: 00000264CA0E7DC2
VirtualProtect.KERNELBASE ref: 00000264CA0E7E02

Strings

@, xrefs: 00000264CA0E76CC

Memory Dump Source

Source File: 00000005.00000002.3100687201.00000264CA0E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000264CA0E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_264ca0e0000_sdiagnhost.jbxd

Yara matches

Similarity

API ID: SectionVirtual$ProtectView$AllocCreateLibraryLoadUnmap
String ID: @
API String ID: 491204081-2766056989
Opcode ID: c37129cb37b3c8bba6147fbaa10fd2a9893dc3c91af62d8663cd2f8e877685fb
Instruction ID: 5e4bb06893201af4cafc158ef6626e7c2f821c90ad2bd4efd127794c7ba3c690
Opcode Fuzzy Hash: c37129cb37b3c8bba6147fbaa10fd2a9893dc3c91af62d8663cd2f8e877685fb
Instruction Fuzzy Hash: 5272D830615B488FDB69EF29C8897A973E1FB99341F14452FD4CAC7381DB31E9829741

Function 00000264CA0E6DC5 Relevance: 1.6, APIs: 1, Instructions: 380
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 00000264CA0E6E38

Memory Dump Source

Source File: 00000005.00000002.3100687201.00000264CA0E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000264CA0E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_264ca0e0000_sdiagnhost.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 4e8b8247e7cc9eb48ab3447efde51f251e79aa77b60fd31208de4e14b5e2697b
Instruction ID: 5ec13b506c80f57010abb1e91015d08e307e8fdba217b3073208122befc499b4
Opcode Fuzzy Hash: 4e8b8247e7cc9eb48ab3447efde51f251e79aa77b60fd31208de4e14b5e2697b
Instruction Fuzzy Hash: 73C1F730315E098BEB58FF29D4997A9B3D1FB95341F14056BD4CAC3386EB22EC869781

Function 00000264CA0E5D15 Relevance: 6.1, APIs: 4, Instructions: 133
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00000264CA0E85C5: LoadLibraryA.KERNELBASE ref: 00000264CA0E8693

VirtualProtect.KERNELBASE ref: 00000264CA0E5D91
VirtualProtect.KERNELBASE ref: 00000264CA0E5DBA
VirtualProtect.KERNELBASE ref: 00000264CA0E5DFF
VirtualProtect.KERNELBASE ref: 00000264CA0E5E23

Memory Dump Source

Source File: 00000005.00000002.3100687201.00000264CA0E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000264CA0E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_264ca0e0000_sdiagnhost.jbxd

Yara matches

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: 8400098549b82502c2f5a9c421df171acaf346d87819800aa738181b0ab5da70
Instruction ID: 12c90d8d32a192872ceec36fadf41904cfc5062fb4fb13d230a502db937fc8ad
Opcode Fuzzy Hash: 8400098549b82502c2f5a9c421df171acaf346d87819800aa738181b0ab5da70
Instruction Fuzzy Hash: AB31B63131CA084BD768BE59985936A73D9E7C5360F00066FA8CFC33CAED65ED4696C1

Function 00000264CA0E5D84 Relevance: 6.1, APIs: 4, Instructions: 89
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 00000264CA0E5D91
VirtualProtect.KERNELBASE ref: 00000264CA0E5DBA
VirtualProtect.KERNELBASE ref: 00000264CA0E5DFF
VirtualProtect.KERNELBASE ref: 00000264CA0E5E23

Memory Dump Source

Source File: 00000005.00000002.3100687201.00000264CA0E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000264CA0E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_264ca0e0000_sdiagnhost.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 914d75a376068fc31bfbded977a9d44f63d4b8c845bdf52e5f4dfcb5cec16c11
Instruction ID: c77e0210959572d47ffbd33d19294a9e693adb4a4fd8bedf6d11e8f5d3dd515b
Opcode Fuzzy Hash: 914d75a376068fc31bfbded977a9d44f63d4b8c845bdf52e5f4dfcb5cec16c11
Instruction Fuzzy Hash: 47218E3130CA084BDB68BE5DA85936973D9E7C8760F10056BA8CBC33CADD25ED464682

Function 00000264CA281440 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 229
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNELBASE ref: 00000264CA2815F1

Strings

HCMU, xrefs: 00000264CA28148C

Memory Dump Source

Source File: 00000005.00000002.3101043223.00000264CA281000.00000020.10000000.00040000.00000000.sdmp, Offset: 00000264CA281000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_264ca281000_sdiagnhost.jbxd

Similarity

API ID: Sleep
String ID: HCMU
API String ID: 3472027048-1408108644
Opcode ID: f4d16d696d8258c7e4b693e4f7ba327b9e3cf8e69538a5a4c7d8dbeb5bf79d3d
Instruction ID: 32772b88568f0da5587e5b15e2bc08cce69ec6ac87654effae34f1673221beb8
Opcode Fuzzy Hash: f4d16d696d8258c7e4b693e4f7ba327b9e3cf8e69538a5a4c7d8dbeb5bf79d3d
Instruction Fuzzy Hash: 19612932929E184BEB08BF29949D7E973D1FB58310F50465BF89AC33D6DA35D8C08782

Function 00000264CA0E85C5 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 104
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 00000264CA0E8693

Strings

l, xrefs: 00000264CA0E862D

Memory Dump Source

Source File: 00000005.00000002.3100687201.00000264CA0E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000264CA0E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_264ca0e0000_sdiagnhost.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: l
API String ID: 1029625771-2517025534
Opcode ID: 17942f13ed0cde813e798f87a7dfef04ab11e23e44ed8671c4d85ae2c9c13351
Instruction ID: 9f0ceea8b1ee75a17cbe41fe775e884e27d3754f9d9cd600c84f31dd8a5fb694
Opcode Fuzzy Hash: 17942f13ed0cde813e798f87a7dfef04ab11e23e44ed8671c4d85ae2c9c13351
Instruction Fuzzy Hash: E431E430519B854FE795EF2DC048B21BBD5FBAA348F2456BEC0DAC7292DB21C84A8701

Function 00000264CA0E5E41 Relevance: 3.1, APIs: 2, Instructions: 63
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00000264CA0E85C5: LoadLibraryA.KERNELBASE ref: 00000264CA0E8693

VirtualProtect.KERNELBASE ref: 00000264CA0E5E8F
VirtualProtect.KERNELBASE ref: 00000264CA0E5EB7

Memory Dump Source

Source File: 00000005.00000002.3100687201.00000264CA0E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000264CA0E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_264ca0e0000_sdiagnhost.jbxd

Yara matches

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: 2a6024b9db74f160a7b58b3b0515e351414b1f3c9a0cbad83c4302ef420070c7
Instruction ID: 3db14810afe46603b5a534794cd3504fac335b1beea72d6d446abcff660160a0
Opcode Fuzzy Hash: 2a6024b9db74f160a7b58b3b0515e351414b1f3c9a0cbad83c4302ef420070c7
Instruction Fuzzy Hash: D111A531718B084BDB98FF19989966A73D5FBD9340F00056BAC8AC7349DE21DD858781

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
148.135.121.165	Ne7qNMCeuy.exe	Get hash	malicious	Unknown	Browse
	Q7I4ToJZ0R.exe	Get hash	malicious	Unknown	Browse
	Ne7qNMCeuy.exe	Get hash	malicious	Unknown	Browse
	Q7I4ToJZ0R.exe	Get hash	malicious	Unknown	Browse

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ERI-ASUS	Ne7qNMCeuy.exe	Get hash	malicious	Unknown	Browse	148.135.121.165
	Q7I4ToJZ0R.exe	Get hash	malicious	Unknown	Browse	148.135.121.165
	Ne7qNMCeuy.exe	Get hash	malicious	Unknown	Browse	148.135.121.165
	Q7I4ToJZ0R.exe	Get hash	malicious	Unknown	Browse	148.135.121.165
	la.bot.sh4.elf	Get hash	malicious	Unknown	Browse	150.132.118.42
	loligang.ppc.elf	Get hash	malicious	Mirai	Browse	147.214.206.40
	apep.x86.elf	Get hash	malicious	Mirai	Browse	131.168.79.136
	zgp.elf	Get hash	malicious	Mirai	Browse	148.135.186.71
	arm5.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	169.144.189.36

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
72a589da586844d7f0818ce684948eea	Ne7qNMCeuy.exe	Get hash	malicious	Unknown	Browse	148.135.121.165
	Q7I4ToJZ0R.exe	Get hash	malicious	Unknown	Browse	148.135.121.165
	Ne7qNMCeuy.exe	Get hash	malicious	Unknown	Browse	148.135.121.165
	Q7I4ToJZ0R.exe	Get hash	malicious	Unknown	Browse	148.135.121.165
	LgigaSKsL6.exe	Get hash	malicious	SmokeLoader	Browse	148.135.121.165
	file.exe	Get hash	malicious	SmokeLoader	Browse	148.135.121.165
	mGFoU1INUk.exe	Get hash	malicious	SmokeLoader	Browse	148.135.121.165
	uSIvID4Y7U.exe	Get hash	malicious	SmokeLoader	Browse	148.135.121.165
	wBgwzVbZuV.exe	Get hash	malicious	SmokeLoader	Browse	148.135.121.165

File type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Entropy (8bit):	5.397375470102125
TrID:	Win64 Dynamic Link Library (generic) (102004/3) 86.43% Win64 Executable (generic) (12005/4) 10.17% Generic Win/DOS Executable (2004/3) 1.70% DOS Executable Generic (2002/1) 1.70% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:	BjLxqVU7m4.dll
File size:	494'592 bytes
MD5:	bd804dfa6fafa1917f83060a30f7f1d0
SHA1:	68cc23c6877806705588ceb6fec57d913a543c1d
SHA256:	4b7a85411716775d966284e879a6bda87feade4c9f40cb94ade6e217793e8a84
SHA512:	707556ba18b3489bf808cb1d019cd28d4c7bbce782507e402c225aaae19a84e2b440e037faa1f971138c4cf21687f3bedabc3841fc743e58a46df2e914e0af54
SSDEEP:	12288:m40yN1KHlD9FmE02qUlLno8shIvaLzSAOXR4DbT8miyK/AIT/D:m40ynslDGLtUlLno8gIyLzSAOXufT8mc
TLSH:	15B4AE8C63AD4A7CE525CA341C47A784B2F3BC4C9650EF7A1A947CA23D1F581F87A9D0
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......f.6i".X:".X:".X:i.[;'.X:i.];..X:i.\;(.X:2;[;+.X:2;\;,.X:2;];..X:i.Y;!.X:".Y:..X:i:Q;#.X:i:.:#.X:i:Z;#.X:Rich".X:........PE..d..

Entrypoint:	0x18005fe00
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x180000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x67322CD2 [Mon Nov 11 16:12:02 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	7ff3d1e87d95163015bce24ecab3c29c

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x77384	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x7c000	0xf8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x7a000	0x108c	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x7d000	0x67c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x75a30	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x758f0	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x6e000	0x268	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6c391	0x6c400	bb677fae1f916ec8f6b527bf7b97ac2c	False	0.4373894883083141	data	5.363101479126426	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x6e000	0x9ba6	0x9c00	52db703257b5aaa2998a36764458115c	False	0.42225060096153844	zlib compressed data	4.783106084134961	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x78000	0x1d7c	0xc00	5f6274e895e20194e4daeab242f66ba8	False	0.15071614583333334	DOS executable (block device driver)	2.2457774802989823	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x7a000	0x108c	0x1200	549c54645e00ef4e6ad04d654e5f2bb1	False	0.4453125	data	5.060326050579461	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x7c000	0xf8	0x200	0deaaac3f0dc5653aa759e15c976e2c4	False	0.3359375	data	2.5312981004807127	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x7d000	0x67c	0x800	fae7c8c79b00d77c9832e40025ac35ed	False	0.4990234375	data	4.935308952064295	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report BjLxqVU7m4.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: loaddll64.exePID: 7348, Parent PID: 4056

General

Chronological Activities

Analysis Process: conhost.exePID: 7356, Parent PID: 7348

Windows Analysis Report
BjLxqVU7m4.dll

Function 000001DFF8EE6DC5 Relevance: 1.6, APIs: 1, Instructions: 380
memoryCOMMON

Function 000001DFFA9311C0 Relevance: .3, Instructions: 265
COMMON

Function 000001DFF8EE5D15 Relevance: 6.1, APIs: 4, Instructions: 133
memoryCOMMON

Function 000001DFF8EE5D84 Relevance: 6.1, APIs: 4, Instructions: 89
memoryCOMMON

Function 000001DFFA931440 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 229
COMMON

Function 000001DFF8EE85C5 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 104
libraryCOMMON

Function 000001DFF8EE5E41 Relevance: 3.1, APIs: 2, Instructions: 63
memoryCOMMON

Function 00000264CA0E6DC5 Relevance: 1.6, APIs: 1, Instructions: 380
memoryCOMMON

Function 00000264CA0E5D15 Relevance: 6.1, APIs: 4, Instructions: 133
memoryCOMMON

Function 00000264CA0E5D84 Relevance: 6.1, APIs: 4, Instructions: 89
memoryCOMMON

Function 00000264CA281440 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 229
COMMON

Function 00000264CA0E85C5 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 104
libraryCOMMON

Function 00000264CA0E5E41 Relevance: 3.1, APIs: 2, Instructions: 63
memoryCOMMON